package org.jfrog.security.crypto;

import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import org.apache.commons.codec.digest.DigestUtils;
import org.jfrog.security.crypto.encoder.EncryptedString;
import org.jfrog.security.crypto.exception.CryptoRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jfrog/security/crypto/JFrogMasterKeyEncrypter.class */
public class JFrogMasterKeyEncrypter {
    private static final Logger log = LoggerFactory.getLogger(JFrogMasterKeyEncrypter.class);
    public static final String AES_CYPHER_TRANSFORM = "AES/GCM/NoPadding";
    public static final String ALG_AES_GCM_128 = "aesgcm128";
    public static final String ALG_AES_GCM_256 = "aesgcm256";
    private static final int GCM_TAG_LENGTH = 16;
    private static final int GCM_IV_LENGTH = 12;
    private final SecretKey secretKey;
    final String keyId;
    final String alg;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jfrog/security/crypto/JFrogMasterKeyEncrypter$AesCipherText.class */
    public static class AesCipherText {
        private final byte[] iv;
        private final byte[] cipherNoIv;

        private static AesCipherText fromIvAndCipher(byte[] bArr, byte[] bArr2) {
            return new AesCipherText(bArr, bArr2);
        }

        private static AesCipherText fromCipherTextWithIv(byte[] bArr) {
            return new AesCipherText(extractInitializationVector(bArr), removeInitializationVector(bArr));
        }

        private AesCipherText(byte[] bArr, byte[] bArr2) {
            this.iv = bArr;
            this.cipherNoIv = bArr2;
        }

        private byte[] getCipherText() {
            byte[] bArr = new byte[this.cipherNoIv.length + JFrogMasterKeyEncrypter.GCM_IV_LENGTH];
            System.arraycopy(this.iv, 0, bArr, 0, this.iv.length);
            System.arraycopy(this.cipherNoIv, 0, bArr, this.iv.length, this.cipherNoIv.length);
            return bArr;
        }

        private static byte[] extractInitializationVector(byte[] bArr) {
            return Arrays.copyOfRange(bArr, 0, JFrogMasterKeyEncrypter.GCM_IV_LENGTH);
        }

        private static byte[] removeInitializationVector(byte[] bArr) {
            return Arrays.copyOfRange(bArr, JFrogMasterKeyEncrypter.GCM_IV_LENGTH, bArr.length);
        }
    }

    public JFrogMasterKeyEncrypter(String str) {
        this.secretKey = JFrogCryptoHelper.aesFromString(str);
        this.keyId = calculateKeyId(this.secretKey);
        this.alg = this.secretKey.getEncoded().length == GCM_TAG_LENGTH ? ALG_AES_GCM_128 : ALG_AES_GCM_256;
    }

    @Nonnull
    public EncryptedString encrypt(@Nonnull String str) {
        Objects.requireNonNull(str, "Cannot encrypt null value");
        return new EncryptedString(this.keyId, this.alg, encryptInternal(str));
    }

    private byte[] decryptInternal(byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance(AES_CYPHER_TRANSFORM);
            AesCipherText fromCipherTextWithIv = AesCipherText.fromCipherTextWithIv(bArr);
            cipher.init(2, this.secretKey, new GCMParameterSpec(128, fromCipherTextWithIv.iv));
            return cipher.doFinal(fromCipherTextWithIv.cipherNoIv);
        } catch (GeneralSecurityException e) {
            throw new CryptoRuntimeException(e);
        }
    }

    public String decrypt(String str) {
        return decrypt(EncryptedString.parse(str));
    }

    public String decrypt(EncryptedString encryptedString) {
        if (isEncryptedByMe(encryptedString.encode())) {
            return new String(decryptInternal(encryptedString.getCipherText()), StandardCharsets.UTF_8);
        }
        throw new CryptoRuntimeException("Input is not encrypted by current encrypter");
    }

    public boolean isEncryptedByMe(String str) {
        if (!EncryptedString.isEncodedByMe(str)) {
            return false;
        }
        EncryptedString parse = EncryptedString.parse(str);
        if (!this.keyId.equalsIgnoreCase(parse.getKeyId())) {
            log.warn("Encrypted data with key id {} is not encrypted with current key id of {}", parse.getKeyId(), this.keyId);
            logStackTrackIfNeeded();
            return false;
        }
        if (!this.alg.equalsIgnoreCase(parse.getAlg())) {
            log.warn("Encrypted data with algorithm {} is not encrypted with current algorithm of {}", parse.getAlg(), this.alg);
            logStackTrackIfNeeded();
            return false;
        }
        if (parse.getCipherText().length >= 28) {
            return true;
        }
        log.warn("Encrypted data size of {} is smaller than the minimum required of {}", Integer.valueOf(parse.getCipherText().length), 28);
        logStackTrackIfNeeded();
        return false;
    }

    private void logStackTrackIfNeeded() {
        if (log.isTraceEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Decryption mismatch stacktrace:");
            for (StackTraceElement stackTraceElement : Thread.currentThread().getStackTrace()) {
                sb.append(System.lineSeparator());
                sb.append("\tat ").append(stackTraceElement);
            }
            log.trace(sb.toString());
        }
    }

    private byte[] encryptInternal(String str) {
        try {
            Cipher cipher = Cipher.getInstance(AES_CYPHER_TRANSFORM);
            byte[] generateRandomInitializationVector = generateRandomInitializationVector();
            cipher.init(1, this.secretKey, new GCMParameterSpec(128, generateRandomInitializationVector));
            return AesCipherText.fromIvAndCipher(generateRandomInitializationVector, cipher.doFinal(str.getBytes())).getCipherText();
        } catch (GeneralSecurityException e) {
            throw new CryptoRuntimeException(e);
        }
    }

    private byte[] generateRandomInitializationVector() {
        SecureRandom secureRandom = new SecureRandom();
        byte[] bArr = new byte[GCM_IV_LENGTH];
        secureRandom.nextBytes(bArr);
        return bArr;
    }

    private String calculateKeyId(SecretKey secretKey) {
        return DigestUtils.sha256Hex(secretKey.getEncoded()).substring(0, 6).toLowerCase();
    }
}
